Strange behaviour of OSC in keystone MFA context

Taltavull Jean-Francois jean-francois.taltavull at elca.ch
Thu Jan 28 07:59:50 UTC 2021


> -----Original Message-----
> From: Sean Mooney <smooney at redhat.com>
> Sent: mardi, 26 janvier 2021 20:01
> To: openstack-discuss at lists.openstack.org
> Subject: Re: Strange behaviour of OSC in keystone MFA context
> 
> On Tue, 2021-01-26 at 17:46 +0000, Taltavull Jean-Francois wrote:
> > Hello,
> >
> > I'm experiencing the following strange behavior of openstack CLI with os-
> auth-methods option (most parameters are defined in clouds.yaml):
> >
> > $ openstack token issue --os-auth-type v3multifactor --os-auth-methods
> > password,totp
> >
> --os-auth-methods does not appear to be a standard part of osc infact i cant
> find it in any openstack repo with
> 
> i think this is the implemtaions
> https://opendev.org/openstack/keystoneauth/src/branch/master/keystoneauth
> 1/loading/_plugins/identity/v3.py#L303-L340
> 
> this presumable is where it generates teh optins
> 
>   options.extend([
>             loading.Opt(
>                 'auth_methods',
>                 required=True,
>                 help="Methods to authenticate with."),
>         ])
> 
> 
> if i do openstack help --os-auth-type v3multifactor it does show up with the
> following text
> 
> --os-auth-methods <auth-auth-methods>
>                         With v3multifactor: Methods to authenticate with. (Env:
> OS_AUTH_METHODS)
> 
> that does not say much but
> 
> https://opendev.org/openstack/keystoneauth/src/branch/master/keystoneauth
> 1/tests/unit/identity/test_identity_v3.py#L762-L800
> implies its a list
> 
> with that said there are no test for multifactor as far as i can see like this one
> https://opendev.org/openstack/python-
> openstackclient/src/branch/master/openstackclient/tests/functional/common/t
> est_args.py#L66-L79
> 
> there also does not seam too be a release note declaring support.
> 
> so while keystone auth support multi factor im not sure that osc actully does
> 
> i specpec that the fild type is not correct and it is indeed been parsed as a string
> instead of a list of stirng field.
> it might be fixable via keystoneauth but  it proably need osc support and testing.
> 
> > The plugin p could not be found
> >
> > Note that "p" is the first letter of "password". It looks like the option parser
> handled "password,totp" as a string instead of as a list of strings.
> >
> > Version of openstack CLI is 5.4.0.
> >
> > Any idea ?
> >
> > Thanks !
> >
> > Jean-François
> >
> >
> 
> 

Thanks for your answer Sean.

What can I do on my end to get things done ?

Jean-François


More information about the openstack-discuss mailing list